cgit/cgit-CVE-2011-2711-fix.diff

From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <cgit@cryptocrack.de>
Date: Fri, 22 Jul 2011 11:47:19 +0000
Subject: Fix potential XSS vulnerability in rename hint

The file name displayed in the rename hint should be escaped to avoid
XSS. Note that this vulnerability is only applicable when an attacker
has gained push access to the repository.

Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
---
---
 ui-diff.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/ui-diff.c
+++ b/ui-diff.c
@@ -97,10 +97,12 @@
 	htmlf("</td><td class='%s'>", class);
 	cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
 		       ctx.qry.sha2, info->new_path, 0);
-	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
-		htmlf(" (%s from %s)",
-		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
-		      info->old_path);
+	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
+		htmlf(" (%s from ",
+		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
+		html_txt(info->old_path);
+		html(")");
+	}
 	html("</td><td class='right'>");
 	if (info->binary) {
 		htmlf("bin</td><td class='graph'>%ld -> %ld bytes",
revert last commit OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cgit?expand=0&rev=5 2011-10-18 13:42:50 +02:00			`From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001`
			`From: Lukas Fleischer <cgit@cryptocrack.de>`
			`Date: Fri, 22 Jul 2011 11:47:19 +0000`
			`Subject: Fix potential XSS vulnerability in rename hint`

			`The file name displayed in the rename hint should be escaped to avoid`
			`XSS. Note that this vulnerability is only applicable when an attacker`
			`has gained push access to the repository.`

			`Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>`
			`Signed-off-by: Lars Hjemli <hjemli@gmail.com>`
			`---`
			`---`
			`ui-diff.c \| 10 ++++++----`
			`1 file changed, 6 insertions(+), 4 deletions(-)`

			`--- a/ui-diff.c`
			`+++ b/ui-diff.c`
			`@@ -97,10 +97,12 @@`
			`htmlf("</td><td class='%s'>", class);`
			`cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,`
			`ctx.qry.sha2, info->new_path, 0);`
			`- if (info->status == DIFF_STATUS_COPIED \|\| info->status == DIFF_STATUS_RENAMED)`
			`- htmlf(" (%s from %s)",`
			`- info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",`
			`- info->old_path);`
			`+ if (info->status == DIFF_STATUS_COPIED \|\| info->status == DIFF_STATUS_RENAMED) {`
			`+ htmlf(" (%s from ",`
			`+ info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");`
			`+ html_txt(info->old_path);`
			`+ html(")");`
			`+ }`
			`html("</td><td class='right'>");`
			`if (info->binary) {`
			`htmlf("bin</td><td class='graph'>%ld -> %ld bytes",`